Configuring Attributes For Vpn Hardware Clients - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
To delete all split tunneling domain lists, enter the no split-dns command without arguments. This
deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns
command with the none keyword.
The parameter value domain-name provides a domain name that the security appliance resolves through
the split tunnel. The none keyword indicates that there is no split DNS list. It also sets a split DNS list
with a null value, thereby disallowing a split DNS list, and prevents inheriting a split DNS list from a
default or specified group policy. The syntax of the command is as follows:
hostname(config-group-policy)# split-dns {value domain-name1 [ domain-name2...
domain-nameN ] | none}
hostname(config-group-policy)# no split-dns [ domain-name domain-name2 domain-nameN ]
Enter a single space to separate each entry in the list of domains. There is no limit on the number of
entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric
characters, hyphens (-), and periods (.). If the default domain name is to be resolved through the tunnel,
you must explicitly include that name in this list.
The following example shows how to configure the domains Domain1, Domain2, Domain3, and
Domain4 to be resolved through split tunneling for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4
Configuring DHCP Intercept
A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255
bytes. To avoid this problem, the security appliance limits the number of routes it sends to 27 to 40
routes, with the number of routes dependent on the classes of the routes.
DHCP Intercept lets Microsoft Windows XP clients use split-tunneling with the security appliance. The
security appliance replies directly to the Microsoft Windows XP client DHCP Inform message,
providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP
address. For Windows clients prior to Windows XP, DHCP Intercept provides the domain name and
subnet mask. This is useful in environments in which using a DHCP server is not advantageous.
The intercept-dhcp command enables or disables DHCP intercept. The syntax of this command is as
follows:
hostname(config-group-policy)# intercept-dhcp netmask {enable | disable}
hostname(config-group-policy)#
The netmask variable provides the subnet mask for the tunnel IP address. The no version of the command
removes the DHCP intercept from the configuration.
The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# intercept-dhcp enable
Configuring Attributes for VPN Hardware Clients
The commands in this section enable or disable secure unit authentication and user authentication, and
set a user authentication timeout value for VPN hardware clients. They also let you allow Cisco IP
phones and LEAP packets to bypass individual user authentication and allow hardware clients using
Network Extension Mode to connect.
OL-12172-03
[no] intercept-dhcp
Cisco Security Appliance Command Line Configuration Guide
Group Policies
30-47
Advertisement
Table of Contents
Troubleshooting
